ausnog 2016 - the trouble with nat
TRANSCRIPT
The Trouble with NAT(Or why I care about IPv6)
Mark [email protected]@markzzzsmith
AusNOG Conference2016
Application
Transport
Internet
Link
Application
Transport
Internet
Link
Internet Internet
host-to-host
Link Link
Fiber, Satellite,
etc.Ethernet
Data Flow
Ethernet
process-to-process
https://commons.wikimedia.org/wiki/File:IP_stack_connections.svg, Author: Kbrose, Permission: GDFL
Network
Network Operators
Network Vendors
Hosts
Applications
End-Users
Supports
Depends
Us
Our Customers
Packets sent by Hosts should have
a good Probability of Arriving at the destination Host
within an Acceptable Timeframe.
Scaling DimensionsNetwork Elements (Routers / Switches)
Links
Network Capacity
Hosts
Geographic Sites
Vertical Scaling
● “Scaling Up”
● Need to replace existing capacitywhile adding new capacity
● Using a bigger hammer!
Horizontal Scaling
● “Scaling Out”
● Adding new capacity toexisting capacity
● No capacity replacement!
● Divide-and-conquer!
+ +
https://flic.kr/p/8a9uyV; Author: ph-stop; No Mods; Lic: CC BY-SA 2.0
Available >Scalable >
Performance?
Performance means nothingif you crash!
Basic NAT –one:one address translation
Network Address Port Translation (NAPT) –many:one address translation
RFC2663
“NAT”
NAT Impact #1 – Packet Modification
- Fails to understand Transport Layer Protocol (TLP).
- Fails to understand Application Layer Protocol (ALP).
- Can't see TLP and/or ALP due to encryption.
- Receiver considers modifications to be an MITM attack.
Any of Above may result in the Packet being Dropped.
NCSF: Availability IMPACT.
NAT Impact #2 – State / Loss of State
- Traffic driven state means vulnerable to State Exhaustion Denial of Service attack.
- Loss of State due to device Failure means Application Sessions can fail even if there is an alternate Network Path.
- State Synchronisation between redundant NAT devices can be Expensive if devices are Geographically Diverse e.g., different racks, different DCs
NCSF: Availability IMPACT.
NCSF: Budget IMPACT.
NAT NAT
(After 3rd Party Host setup)
3rd Party Host
Games, Instant Messaging, Voice/Video Conferencing
NAT Impact #3 – 3rd Party Host Required
- Applications that suit Direct Communication are forced to use a 3rd Party Host
- 3rd Party Host acts as a Relay for All Traffic or is involved in setting up Direct NAT-to-NAT path.
- 3rd Party Host may be relied on (relay), perform well (relay) and must be Trusted.
NCSF: Availability IMPACT.
NCSF: Performance IMPACT.
NAT NAT
(After 3rd Party Host setup)
Server
Games, Instant Messaging, Voice/Video Conferencing
Client/ServerApplication Architecture
Client Client
Client/Server?
IPv4
[mark@x13 RFCs]$ egrep -i "(Client|Server)" rfc791.txt
[mark@x13 RFCs]$
IPv6
[mark@x13 RFCs]$ egrep -i "(Client|Server)" rfc2460.txt
[mark@x13 RFCs]$
Being a Peer
A device with an IP address should be able to:
Send Packets to and receive Packets from All other devices with IP addresses attached to the Same Network, Security Permitting.
Use its own IP address to Identify itself to Others when Referring to itself.
2001:db8:aaaa:1:23eb:af8e:633e:c7fd
2001:db8:8888:cafe:9ae9:f737:58e7:f5bf2
2001:db8:aaaa:abcf:ee36:6257:a09b:31e3 2001:db8:1234:dead:fb3d:071b:bc6a:10fe
2001:db8:fef8:fef8:a446:168c:0c0f:7250
2001:db8:4564:1432:bc29:0f26:436e:bd15
2001:db8:9999:1:422e:4919:dac1:15702001:db8:9999:2:5193:4162:0ebb:2a0d
The Fundamental Constraint of NAT is that it Prevents IP nodes attached to the same network
from Acting as Peers of each Other.
FAQ: RenumberingIPv6 formally supports multiple concurrent addresses on each interface and addresses lifetimes.
Use Unique Local Addresses (RFC4193) for internal or local traffic, Global prefix(es) for external Internet access.
ULA prefix stays stable and in use during Global renumbering procedure.
Future: Multipath transport protocols e.g., MPTCP, Source Address Dependent Routing (SADR).
FAQ: NAT provides Stateful Firewalling
Stateful Firewalling property of NAT is a side effect of what is necessary to do to perform address translation.
Stateful Firewalling can be performed without address translation (and is, see Linux kernel 'ip6tables' as an example).
FAQ: NAT hides devices
People are really saying, “NAT hides devices from unsolicited inbound address probes”.
Devices are not hidden from other forms of discovery such as HTTP cookies, or addresses and other identifiers that are leaked in other places in protocols.
Network or host stateful or stateless inbound filters can “hide” IPv6 devices, as well as addressing schemes such as IPv6 Temporary/Privacy Addresses and hard to find using probing Stable Opaque (RFC7217) Addresses.
FAQ: NAT Internal Topology Hiding
RFC4864 mentions using host routes for small scale sites and Mobile IPv6 larger ones.
Another option is various forms of tunnelling over IPv4 to make an IPv6 device appear where the tunnelling concentrator is located.
For example, ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) makes IPv6 devices attached to an IPv4 network appear to all come from the same single /64.
Some Further Reading
RFC1627 - “Network 10 Considered Harmful (Some Practices Shouldn't be Codified)”
RFC1958 - “Architectural Principles of the Internet”
RFC2775 - “Internet Transparency”
RFC2993 - “Architectural Implications of NAT”
RFC3439 - “Some Internet Architectural Guidelines and Philosophy”
RFC3879 - “Deprecating Site Local Addresses”
RFC4924 - “Reflections on Internet Transparency”
RFC5902 - “IAB Thoughts on IPv6 Network Address Translation”